critical
9.8
CWE
119 120 787
Advisory Published
Updated

CVE-2022-31031: Potential stack buffer overflow when parsing message as a STUN client

First published: Tue Jun 07 2022(Updated: )

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Teluu PJSIP<=2.12.1
Debian Debian Linux=10.0
Debian Debian Linux=11.0
ubuntu/ring<20180228.1.503
20180228.1.503
ubuntu/ring<20190215.1.
20190215.1.
debian/asterisk<=1:16.2.1~dfsg-1+deb10u2
1:16.28.0~dfsg-0+deb10u4
1:16.28.0~dfsg-0+deb11u3
1:16.28.0~dfsg-0+deb11u4
1:20.6.0~dfsg+~cs6.13.40431414-2
debian/ring<=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1
20190215.1.f152c98~ds1-1+deb10u2
20230206.0~ds2-1.1
20231201.0~ds1-1

Remedy

https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202

Remedy

https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2022-31031?

    CVE-2022-31031 is a stack buffer overflow vulnerability in PJSIP that affects users using STUN in their application.

  • What is the severity of CVE-2022-31031?

    The severity of CVE-2022-31031 is critical with a CVSS score of 9.8.

  • How does CVE-2022-31031 affect Teluu Pjsip?

    CVE-2022-31031 affects Teluu Pjsip versions up to and including 2.12.1.

  • How does CVE-2022-31031 affect Debian Debian Linux 10.0?

    CVE-2022-31031 affects Debian Debian Linux 10.0.

  • How does CVE-2022-31031 affect Debian Debian Linux 11.0?

    CVE-2022-31031 affects Debian Debian Linux 11.0.

  • How do I fix CVE-2022-31031 in Teluu Pjsip?

    To fix CVE-2022-31031 in Teluu Pjsip, update to a version higher than 2.12.1.

  • How do I fix CVE-2022-31031 in Debian Debian Linux 10.0?

    To fix CVE-2022-31031 in Debian Debian Linux 10.0, apply the security patch with the version 1:16.28.0~dfsg-0+deb10u3 or higher.

  • How do I fix CVE-2022-31031 in Debian Debian Linux 11.0?

    To fix CVE-2022-31031 in Debian Debian Linux 11.0, apply the security patch with the version 1:16.28.0~dfsg-0+deb11u3 or higher.

  • What are the Common Weakness Enumerations (CWE) associated with CVE-2022-31031?

    The Common Weakness Enumerations (CWE) associated with CVE-2022-31031 are CWE-119, CWE-120, and CWE-787.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203